IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Assigning a specific value to a variable when querying an ACL

    Posted 10 hours ago
    Edited by Stephan Reichelt 10 hours ago

    Hello everyone,
    I have a report with an exploded ACL. Now I want to define my own variable. The goal: I want to generate my own column with the heading "Direct," which should be filled in when a user is directly permitted in the ACL. But I can't get it to work.

    The code:

    n  retain                                                       
       select class=*                                               
       define defacl("ID       Access  Via      When",explode,sort),
       subselect acl(user=* or group=* or id="*")                   
       sortlist class(nd) key("Profile",60),                        
       class(10) defacl defacl:name(25)                             

    I have tried the following, among other things:

    define direct("Direct",8) subselect acl(id=user)  

    But I didn't get any results.


    Best regards
    Stephan



    ------------------------------
    Stephan Reichelt
    ------------------------------



  • 2.  RE: Assigning a specific value to a variable when querying an ACL

    Posted 9 hours ago

    Hi Stephan

    The clause "ID=user" looks for the value "USER".

    For a field-field compare you must use "==" instead of "=": "ID==USER".

    Regards,

    Jeroen



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM zSecure
    Delft
    ------------------------------

    Original Message


  • 3.  RE: Assigning a specific value to a variable when querying an ACL

    Posted 8 hours ago

    Hello Jeroen,
    Thank you for your prompt reply.
    However, I now have a situation where the results are displayed in the wrong row (always at the beginning of a new profile).
    I would like them to be displayed in the row where the ID and user are the same.

    Result:

    Profile                                                      Class      ID       Access  Via      When                Direkt 
    B48.*.**                                                     $BETA      ZZZUSER  ALTER   SYSP                         M500012
    B48.*.**                                                     $BETA      IBMUSER  ALTER   SYSP                                
    B48.*.**                                                     $BETA      XXYTUSE  ALTER   SYSP                                
    B48.*.**                                                     $BETA      YYYMEGA  ALTER   SYSP                                
    B48.*.**                                                     $BETA      M500012  NONE    M500012                             

    Code:

    n  retain                                                        
       select class=*                                                
       define defacl("ID       Access  Via      When",explode,sort), 
       subselect acl(user=* or group=* or id="*")                    
       define dir("Direkt",explode,sort,8) subselect acl(id==user)   
       sortlist class(nd) key("Profile",60),                         
       class(10) defacl dir defacl:name(20) uacc                     

    Regards

    Stephan



    ------------------------------
    Stephan Reichelt
    ------------------------------

    Original Message


  • 4.  RE: Assigning a specific value to a variable when querying an ACL

    Posted 8 hours ago

    Hi Stephan, 

    if I understand you correct, you want to report the user IDs with a direct permission to the ACL only. 

    In that case, you do not want to explode the ACL in your "define dir" command, as that would include also all user IDs that are permitted through a group connection. You can try something along the lines of: define dir("Direkt",8) subselect acl(exists(user))

    That subselection only reports the IDs from the ACL that are user IDs and not group or ID(*). 

    Hope this helps.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------

    Original Message


  • 5.  RE: Assigning a specific value to a variable when querying an ACL

    Posted 6 hours ago

    Hi Tom, 
    I would like to generate a report with all permits (including groups or "*"). However, for better readability, the "Direct" column should be filled in for lines where a user has direct authorization. The same problem occurs with Exists and without Explode: The user IDs with direct authorization are bundled at the beginning of a new profile where they exist and displayed in the "Direct" column, rather than in the row/height of the profile where the authorization exists. I hope I have been able to express myself clearly.

    Code Now:

    n  retain                                                       
       select class=*                                               
       define defacl("ID       Access  Via      When",explode,sort),
       subselect acl(user=* or group=* or id("*"))                  
       define dir("Direkt",8) subselect acl(exists(user))           
       sortlist class(nd) key("Profile",60),                        
       class(10) defacl dir defacl:name(20) uacc                    


    Best regards
    Stephan



    ------------------------------
    Stephan Reichelt
    ------------------------------

    Original Message


  • 6.  RE: Assigning a specific value to a variable when querying an ACL

    Posted 8 hours ago

    Hi Stephan,

    If your intention is to select all DATASET and GENERAL resources, then

    select class=*

    Is not what you want.  That selects everything, including users and groups and all segments.
    The following only selects only the dataset and general resource profiles, and only the records from the base segment, as that contains the acl.

    select segment=base entype=(3,4)

    Instead of ENTYPE=, you can also do CLASS=(DATASET,GENERAL)



    ------------------------------
    Ronald van der Laan
    ------------------------------

    Original Message


  • 7.  RE: Assigning a specific value to a variable when querying an ACL

    Posted 5 hours ago

    Hi Stephan,

    What the SUBSELECT does is discard the values that do not match the selection.
    The remaining values are printed on the first, second, etc. lines.
    There is no way from there to realign them with the lines they would originally have been printed on.

    What you might do is use separate SUBSELECT variables for the DIRECT and INDIRECT references and print those instead of DEFACL.
    To gather the observations together per profile, you would need MERGELIST...ENDMERGE around the two NEWLISTs.
    However, I think this would results in some lines without entries, as some profiles might not have any DIRECT (or INDIRECT) entries.
    [And you can't really do the ID==USER test on SELECT, since that would act before all profiles were seen, so it might not be known yet if the ID was a USER..]

    It might be easier to add a second pass that compares the ID and Via columns and adds something when they are the same..

    Regards,
    Jeroen



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM zSecure
    Delft
    ------------------------------

    Original Message


Related Content